New Malware steals Discord Passwords

[German]Small information for blog readers who use Discord service. Cyber criminals modify the AnarchyGrabber malware so that it can be used to harvest passwords in Discord. A new feature can also infect other friends of the victim.


Advertising

What is Discord?

Discord (also called Discordapp) is an online service for instant messaging, chat, voice and video conferencing, which was created mainly for computer players. Discord can be used as a web application or with proprietary client software on all common operating systems. Discord claims to have more than 250 million registered users.

What is AnarchyGrabber?

AnarchyGrabber is a malware which was developed to steal the discord access data of the victims. AnarchyGrabber is often distributed for free in hacker forums and YouTube videos. Cyber criminals try to spread the Trojan on Discord as 'cheat for games', hacking tool or protected software. I had already reported on such an approach in the German blog post Malware verwandelt Discord-Client in Trojaner in early April 2020.

New Password-Stealer AnarchyGrabber3

Bleeping Computer reports in the following tweet that cyber criminals are now stealing passwords with a modified AnarchyGrabber3 malware.

While this is nothing fundamentally new. But the thread actors behind the new malware have modified it in such a way that the AnarchyGrabber3 grabber not only extracts passwords in plain text but also tokens. In addition, the two-factor authentication is deactivated and the malware can be distributed to friends of the victim via a command. It can be detected, that an AnarchyGrabber3 is installed, because it the file's:


Advertising

%AppData%\Discord\Discord\[version]\modules\discord_desktop_core\index.js

content of the Discord client has been modified. Other JavaScript files of the malware are loaded there. For example, an inject.js is loaded from the new 4n4rchy folder. In the unmodified version of the index.js there is probably only one command:

modules.exports = require('./core.asar');

If other commands are found there, there is a high probability of infection. Further details can be found at Bleeping Computer.


Advertising

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).